It is widely known that node modules are a big security risk because of its deeply nested tree and developers tend to not install new packages just for this.

From a recent HN comment [0]:

> Does anyone know if there has been reliable research towards the security of the entire RN dependency tree? Seeing a stray dep there that has 1 maintainer on npm/GitHub who has been inactive for over a year makes me nervous. Any one of those JavaScript projects could do something nefarious deep under the hood, and this to me seems to expose a huge surface area for attackers.

How are you personally mitigating against the risks or what are the policies/processes at your company?

[0] https://news.ycombinator.com/item?id=23160588